RE: Fetch: HTTP authentication and CORS from HU, BIN on 2013-05-08 (public-webapps@w3.org from April to June 2013)

From: HU, BIN <bh526r@att.com>
Date: Wed, 8 May 2013 23:11:32 +0000
To: Paul Libbrecht <paul@hoplahup.net>
CC: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <179FD336116F754C876A9347238FE29A01026D64@WABOTH9MSGUSR8L.ITServices.sbc.com>

That is correct.

Thanks
Bin

From: Paul Libbrecht [mailto:paul@hoplahup.net]
Sent: Wednesday, May 08, 2013 1:14 PM
To: HU, BIN
Cc: Hallvord Reiar Michaelsen Steen; Jonas Sicking; Anne van Kesteren; WebApps WG; WebAppSec WG
Subject: Re: Fetch: HTTP authentication and CORS

On 7 mai 2013, at 02:23, HU, BIN wrote:
Because "nonce" is needed to generate the appropriate digest, the 401 challenge is required.

So the lesson here is: any developer that intends to use authenticated XHR should always start with an XHR that is a simple ping-like GET, then do the real things. Right?

Paul

Received on Wednesday, 8 May 2013 23:12:19 UTC